ANNEX

GUIDELINES FOR COMPETENT AUTHORITIES' AUDIT SYSTEMS

Contents

1.

PURPOSE AND SCOPE

2.

BACKGROUND AND LEGAL BASIS

2.1.

Article 4(6): operational criteria for competent authorities

2.2.

Article 2(6): definition of ‘audit’

3.

DEFINITIONS

4.

GENERAL GUIDANCE

5.

NATURE OF THE AUDIT PROCESS

5.1.

Systematic approach

5.2.

Transparency

5.3.

Independence

5.4.

Independent scrutiny

6.

IMPLEMENTATION OF THE AUDIT PROCESS

6.1.

Guiding principles: (a) compliance with planned arrangements; (b) effective implementation; (c) suitability to achieve objectives

6.2.

Audit reporting

6.3.

Follow-up of audit results

6.4.

Audit review and dissemination of best practice

6.5.

Resources

6.6.

Auditor competence

1.   Purpose and Scope

These guidelines provide guidance on the nature and the implementation of audit systems by national competent authorities. The purpose of audit systems is to verify whether official controls relating to feed and food law and animal health and animal welfare rules are effectively implemented and are suitable to achieve the objectives of the relevant legislation, including compliance with national control plans.

These guidelines seek to lay down principles to observe rather than stipulating detailed methods with a view to facilitating their application to the diversity of Member State control systems. The methods selected for applying the principles in these guidelines may vary depending on the size, nature, number and complexity of the competent authorities responsible for official controls throughout the Member States.

2.   Background and legal basis — Regulation (EC) No 882/2004

These guidelines lay down criteria for conducting the audits provided for in Article 4(6) of Regulation (EC) No 882/2004. In this connection the following extracts from that Regulation are relevant:

2.1.   Article 4(6): operational criteria for competent authorities

‘Competent authorities shall carry out internal audits or may have external audits carried out, and shall take appropriate measures in the light of their results, to ensure that they are achieving the objectives of this Regulation. These audits shall be subject to independent scrutiny and shall be carried out in a transparent manner.’

2.2.   Article 2(6): definition of ‘audit’

‘ “Audit” means a systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.’

3.   Definitions

For the purposes of these guidelines, the definitions laid down in Article 2 of Regulation (EC) No 882/2004, Articles 2 and 3 of Regulation (EC) No 178/2002 of the European Parliament and of the Council (1), ISO 19011:2002 (2) 4 and ISO 9000:2000 (3) apply.

In particular the following definitions from ISO 19011:2002 and ISO 9000:2000 should be noted:

‘Audit criteria’ means the set of policies, procedures or requirements used as a reference against which audit evidence is compared, i.e. the standard against which the auditee’s activities are assessed.

‘Audit plan’ means the description of the activities and arrangements for an audit.

‘Audit programme’ means a set of one or more audits planned for a specific time frame and directed towards a specific purpose.

‘Audit team’ means one or more auditors conducting an audit supported if needed by technical experts.

‘Auditee’ means organisation being audited.

‘Auditor’ means a person with the competence to conduct an audit.

‘Corrective action’ means action to eliminate the cause of a detected non-conformity or other undesirable situation.

‘Preventive action’ means action to eliminate the cause of a potential non-conformity or other undesirable situation.

‘Technical expert’ means a person who provides specific knowledge or expertise to the audit team.

For the purposes of these Guidelines, the following definitions apply:

‘Audit Body’ means the body that carries out the audit process. This may be an internal or external entity.

‘Audit process’ means the set of activities described in Section 5.1. (Systematic Approach).

‘Audit system’ means the combination of one or more audit bodies carrying out an audit process within or across competent authorities.

‘Production chain’ means the whole production chain incorporating all ‘stages of production, processing and distribution’ as defined in Article 3(16) of Regulation (EC) No 178/2002.

4.   General Guidance

Where a combination of audit systems is introduced in a Member State, mechanisms should be put in place to ensure that the audit systems cover all control activities under Regulation (EC) No 882/2004, including animal health and animal welfare and at all stages of the feed and food-production chain, and including the activities of all agencies or control bodies involved.

In particular, where control tasks are delegated to a control body, and the competent authority has chosen to audit rather than to inspect the control body, then the contractual obligations of that delegated body should include the acceptance of auditing requirements and the conditions thereof.

In addition to the specific guidance set out in this document, ISO 19011:2002 should be referred to for general guidance.

5.   Nature of the audit process

5.1.   Systematic Approach

A systematic approach should be applied to the planning, conduct, follow-up and management of audits. To that end, the audit process should:

—	be the result of a transparent planning process identifying risk-based priorities in line with the competent authority’s responsibilities under Regulation (EC) No 882/2004,

—	form part of an audit programme that ensures adequate coverage of all relevant areas of activity and all relevant competent authorities within the sectors covered by Regulation (EC) No 882/2004 at an appropriate risk-based frequency over a period not exceeding five years,

—	be supported by documented audit procedures and records to ensure consistency between auditors and to demonstrate that a systematic approach is followed,

—	include procedures for generating audit findings, including the identification of evidence of compliance and non-compliance, as appropriate, and for preparing, approving and distributing audit reports,

—	include procedures to review audit conclusions, in order to identify system-wide strengths and weaknesses in the control system, disseminate best practice and ensure the monitoring of corrective and preventive actions,

—	be monitored and reviewed to ensure the audit programme's objectives have been met and to identify opportunities for improvement.

Where more than one audit programme is envisaged within a Member State, steps should be taken to ensure that such programmes are effectively coordinated, so as to ensure a seamless audit process across the relevant competent authorities. The audit programme(s) should also cover all relevant levels of the competent authority’s hierarchy.

5.2.   Transparency

In order to demonstrate the audit process is transparent, documented procedures should, in particular, include a clearly defined audit planning process, audit criteria and audit report approval and distribution mechanisms.

Management and implementation of the audit process should be transparent to all relevant stakeholders. In particular, there should be full transparency between the audit body and the auditee. Ensuring the audit process is transparent in the eyes of other stakeholders will assist in the dissemination of information, and in particular in the sharing of best practice within and between competent authorities.

The Member States should adopt the appropriate measures to ensure their audit systems are transparent, taking national legal and other requirements into account. To that end, the Member States should consider encouraging practices that improve the transparency of the process. Some examples of such practices are listed in the Table below. When deciding on such measures, the Member States should balance the need for transparency against the risk of undermining the audit system's ability to achieve its objectives. In order to optimise the benefits of transparency, it should be combined with balanced reporting, that is a proper mixture of verified compliance (positive findings) and areas for improvement (negative findings).

Table

Examples of practices improving the transparency of an audit process

Audit body practices	Auditee	Within competent authority	Across competent authorities (within Member States)	Public and other stakeholders
Access to documented audit body procedures
Consultation on planning of audit programme
Publication of audit programme
Submission of audit plan
Opportunity to comment on draft audit report
Distribution of final audit report
Publication of auditee’s comments on draft report
Publication of final audit report
Publication of summaries of final audit reports and of annual report
Publication of auditee’s action plan
Publication of follow-up results
Note: Member States should select the practices (first column) and the extent to which they are applied (remaining columns) which are appropriate to their particular circumstances.

5.3.   Independence

Audit bodies should be free from any commercial, financial, hierarchical, political or other pressures that might affect their judgment or the outcome of the audit process. The audit system, audit body and auditors should be independent of the activity being audited and free from bias and conflicts of interest. Auditors should not audit areas or activities for which they have direct responsibility.

All relevant competent authorities should introduce safeguards to ensure that responsibility and accountability for audit and control activities, such as the management and supervision of official control systems, are kept sufficiently distinct.

Where the audit team makes recommendations for corrective and preventive action, the auditee should choose the methods to be applied for such action. Active audit team involvement in follow-up should be limited to assessing the suitability of the action plan and the effectiveness of the corrective and preventive action. Auditees should not be in a position to impede the audit programme, findings or conclusions. They should be consulted on the draft report and their comments should be considered by the audit body. Where appropriate, those comments should be taken into account in a transparent manner.

The following points may help ensure that the audit process safeguards the independence of both the audit body and the audit team:

—	a clear, documented mandate affording adequate power to conduct the audits should be provided,

—	neither the audit body nor the audit team should be involved in managing or supervising the control systems being audited,

—	for external audits, the audit body and audit team should be external to, and independent of, the organisational hierarchy of the auditee,

—

for internal audits, the following general principles should apply to ensure the process is independent and transparent: — the audit body and audit team should be appointed by top management, — the audit body and/or the audit team should report to top management, — a check should be carried out to ensure no conflict of interest exists for either the audit body or the audit team.

Independent audit bodies should be external to or separate from the management of audited activities. Internal audit bodies should report to the most senior management within the organisational structure.

Where technical expertise required for the audit is available only within a competent authority, measures should be taken to ensure the audit team remains independent. Where control activities are organised on a regional basis, technical specialists could be exchanged in order to ensure they are independent.

5.4.   Independent Scrutiny of the Audit Process

In order to check whether it is achieving its objectives, the audit process should be subject to scrutiny by an independent person or body. Such independent person or body should have sufficient authority, expertise and resources to carry out this task effectively. The approaches to independent scrutiny may vary, depending on the activity or the competent authority. Where a body or a committee has been established with a view to independent scrutiny of the audit process, one or more independent persons should be members of such body or committee. Such independent persons should have access to the audit process and be empowered to contribute fully to it. Action should be taken to remedy any shortcomings identified in the audit process by the independent person or body.

6.   Implementation of the Audit Process

6.1.   Guiding Principles: (a) Compliance with planned arrangements; (b) Effective implementation; (c) Suitability to achieve objectives

To comply with the requirements of Article 4(6) of Regulation (EC) No 882/2004, the audit system should cover the following three points set out in Article 2(6):

(a)

Verification of compliance with planned arrangements in order to provide assurances that official controls are carried out as intended and that any instructions or guidelines given to staff carrying out the controls are followed. This may largely be addressed by document review, but will also require on-site verification. The audit team will require good generic audit knowledge and skills to address this audit objective.

(b)

Verification of the effective implementation of planned arrangements. In order to assess effectiveness, that is the extent to which planned results are achieved, on-site operational implementation must be included. This should include an assessment of the quality and consistency of the controls and should involve on-site audit activities. The audit team will require the relevant technical expertise in order to address this audit objective.

(c)

The audit system should also seek to assess whether the planned arrangements are suitable to achieve the objectives of Regulation (EC) No 882/2004, and in particular the single integrated multi-annual national control plan. This should include assessing the suitability of official controls, with regard, for example, to their frequency and the methods applied, having regard to the structure of the production chain(s) and to production practices and volume. The audit team should have substantial knowledge and understanding of system auditing, together with relevant technical input to address this audit objective.

In order to determine whether the planned arrangements are suitable to achieve the objectives set out in (c) above, the following should be considered:

Audit criteria should include strategic objectives stemming from Regulations (EC) No 178/2002 and (EC) No 882/2004 (including the single integrated multi-annual national control plan) and national legislation.

The primary focus of audits should be the control arrangements relating to the critical points for control in the production chain(s). The emphasis should be on assessing whether planned arrangements are capable of delivering sufficient guarantees on (a) the safety of the end-product(s) and (b) compliance with other feed and food law requirements and with animal health and welfare rules. In order to achieve this, audit(s) should where possible extend beyond and across administrative boundaries.

6.2.   Audit Reporting

Audit reports should contain clear conclusions stemming from the audit findings and, where appropriate, recommendations:

—

Conclusions should address the compliance with the planned arrangements, the effectiveness of the implementation, and the suitability of the planned arrangements to achieve the stated objectives, as appropriate. They should be based on objective evidence. In particular, where conclusions are drawn as to the planned arrangements' suitability to achieve the stated objectives, evidence may be obtained from the compilation and analysis of results from several audits. In this case conclusions should extend beyond the boundaries of individual establishments, units of authorities and authorities,

—	Recommendations should address the end-result to be delivered rather than means of correcting non-compliance. Recommendations should be based on sound conclusions.

6.3.   Follow-up of Audit Outcome

Where appropriate, an action plan should be drawn up and delivered by the auditee. It should propose time-bound corrective and preventive action to address any weakness identified by the audit or audit programme. The audit team should assess the suitability of the action plan and may be involved in verifying its subsequent implementation:

—

an Action plan enables the audit team to assess whether the proposed corrective and preventive action is sufficient to address the recommendations of the audit report. Action plans should include risk-based prioritisation and time frames for completion of corrective and preventive action. A wide range of different action plans could be considered satisfactory. It is for the auditee to choose from the various options available,

—

Corrective and preventive action should not be confined to addressing specific technical requirements but should, where appropriate, include system-wide measures (for example communication, cooperation, coordination, reviewing and streamlining of control processes, and so forth). A root cause analysis of any non-compliance should be conducted by the auditee in order to determine the most appropriate corrective and preventive action. Any differences of opinion between the auditee and audit team should be resolved,

—	Close-out: Mechanisms should be established to ensure that action plans are appropriate and that corrective and preventive actions are effectively completed in a timely manner. Procedures for verifying the close out of the action plan should be agreed between the auditee and the audit team.

6.4.   Audit Review and Dissemination of Best Practice

The implications of audit findings for other sectors and regions should be considered, particularly in Member States where controls are delegated to a number of competent authorities or are decentralised. In particular, examples of best practice should be disseminated. For this purpose, reports should be made available to other sectors and regions within the Member State and to the Commission. Audit results should also be considered while planning the audit programme and in the context of the review of the single integrated multi-annual national control plan.

6.5.   Resources

Member States should ensure that competent authorities have sufficient implementing powers, and resources, with the appropriate authority, to establish, implement and maintain an effective audit system.

The human and related resources required to manage, monitor and review the audit process should be made available, bearing in mind that all competent authorities and their control activities should be audited over a period not exceeding five years. General guidance on the resources required for auditing is provided in ISO 19011. In order to have the necessary expertise to fulfil the purpose and scope of the audit and audit programme(s), the audit team may include any combination of general and technical specialist auditors and technical experts. Care should be taken to ensure the objectivity and independence of the audit team, especially where technical experts are required. To that end, the rotation of auditors and/or of audit teams may assist in achieving this.

6.6.   Auditor Competence

Auditor competence and selection criteria should be defined under the following headings:

—	generic knowledge and skills — audit principles, procedures and techniques; management/organisational skills,

—	specific technical knowledge and skills,

—	personal attributes,

—	education,

—	work experience,

—	auditor training and experience.

It is essential to put a mechanism in place to ensure auditors are consistent and their competencies are maintained. Competencies required by audit teams will vary depending on the area they are auditing within the control or supervision systems. As regards the technical knowledge and skills required by auditors, the training requirements for staff performing official controls (Chapter 1 of Annex II to Regulation (EC) No 882/2004) should also be considered.

---

(1)   OJ L 31, 1.2.2002, p. 1.

(2)   ‘Guidelines for quality and/or environmental management systems auditing’, published by International Organisation for Standardisation, 1 October 2002.

(3)   ‘Quality management systems — Fundamentals and vocabulary’, published by the International Organisation for Standardisation, December 2000.